Aias00 commented on code in PR #978: URL: https://github.com/apache/dubbo-go-pixiu/pull/978#discussion_r3393206635
########## admin/controller/auth/auth_test.go: ########## @@ -0,0 +1,51 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package auth + +import ( + "testing" + "time" +) + +import ( + "github.com/golang-jwt/jwt/v4" + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" +) Review Comment: Thanks. This repository enforces imports-formatter in CI rather than plain gofmt grouping; the formatter output keeps separate import blocks and separates third-party groups. I kept the current grouping because the previous CI failure provided this exact formatter diff, and the latest branch keeps that format. ########## admin/controller/auth/auth.go: ########## @@ -115,6 +119,9 @@ func (j *JWT) ParseToken(tokenString string) (*CustomClaims, error) { // Input: token string, custom Claims structure object, custom function // Parse the token string into jwt's Token structure pointer token, err := jwt.ParseWithClaims(tokenString, &CustomClaims{}, func(token *jwt.Token) (any, error) { + if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok { + return nil, TokenInvalid + } return j.SigningKey, nil }) Review Comment: Addressed in bce62c50 by moving the signing-method validation into JWT.keyFunc and reusing it from ParseToken. ########## admin/controller/auth/auth.go: ########## @@ -145,6 +152,9 @@ func (j *JWT) RefreshToken(tokenString string) (string, error) { return time.Unix(0, 0) } token, err := jwt.ParseWithClaims(tokenString, &CustomClaims{}, func(token *jwt.Token) (any, error) { + if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok { + return nil, TokenInvalid + } return j.SigningKey, nil }) Review Comment: Addressed in bce62c50 by reusing JWT.keyFunc from RefreshToken as well, so ParseToken and RefreshToken now share the same signing-method check. ########## admin/controller/auth/auth.go: ########## @@ -99,6 +100,9 @@ func NewJWT() *JWT { // get signKey func GetSignKey() string { + if key := os.Getenv("DUBBOGO_PIXIU_JWT_SIGN_KEY"); key != "" { + return key + } return SignKey Review Comment: Addressed in bce62c50 by adding jwtSignKeyEnv and reusing it in both GetSignKey and the test. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
